dslreports logo
site
spacer

spacer
 
   
spc
Bank of America: Whoops
and more on PLUTO DATA charges
by Rob 12:29PM Saturday Feb 26 2005
Bank of America has announced they've lost computer data tapes containing personal information on up to 1.2 million federal employees, including many Senators. Meanwhile dozens of users in our scam busting forum are trying to find out how criminals got a hold of their credit card information.

view:
topics flat nest 

pende_tim
Premium
join:2004-01-04
Andover, NJ
kudos:1

Watch how fast the laws change now!

Some Senators got their personal information lifted? Terrible. I am very sorry for anyone who is compromised.

Just watch how many more consumer protection laws are passed if even one of them gets "cloned" through identity theft.

i1me2ao
Premium
join:2001-03-03
TEXAS

Re: Watch how fast the laws change now!

how true..

Nerdtalker
Working Hard, Or Hardly Working?
Premium,MVM
join:2003-02-18
Tucson, AZ

Re: Watch how fast the laws change now!

said by i1me2ao:

how true..
It's sadly ironic that it has had to come to this to force some progress towards legislation that actually works.

Now that it hits home, perhaps they'll do something worthwhile.
--
Touch a thistle timidly, and it pricks you; grasp it boldly, and its spines crumble. -William S. Halsey

iPod Shuffle=iPos


I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 2785

Hub-bub

@rr.com

-1 recommendation

Yes watch how fast! Call a credit card company and it sounds like India or some other country. I'm not as concerned at accidental compromise but intentional ones - scattering our info all over the world. Look at HIPAA laws and nothing will be sacred or private anymore. Of course they always make laws after the fact.

Capital Hill needs a warning sign, "Hazardous Waste"!
donaldk
Premium
join:2000-10-19
Halifax, NS
ROFLMAO!... CIBC (the bank I deal with) just did something stupid like that, faxing a whole whack of personal info to a New York junkyard. It took the junkyard to theaten a lawsuit for it to stop it, now they are not allowed to fax anything between branches.

Rob
In Deo speramus.
Premium
join:2001-08-25
Kendall, FL
kudos:2
Reviews:
·Comcast

2 recommendations

Sucks

I never liked BoA. But this sucks. I hope this is resolved quickly w/o to much damaged.

Oh and this is this the first time my news was accepted that I submitted!
--
YourIP.US - Quickly Locate Your IP!
EasyWhois.us - It's Never Been So Easy!

ColdFiltered

join:2005-01-25
Atlanta, GA

Not a good company to work for ...

A friend's significant other works at one of BoA's local branches as a teller. It sounds like a company not worth working for. They are not required to telemarket after work if they do not get the minimum number of daily referrals.

Last week she was the only teller work as the others decided to quit/move-on. Was this the action of the local branch's management? Nope. Its from higher in the BoA food chain.

So, maybe this is an action of a disgruntled employee.

Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:13

Re: Not a good company to work for ...

This is no surprise, I've learned to laugh whenever i see BoA commercials on TV, claiming they have higher standards. hmm, losing records, transferring $50K to europe,they are crap (Like most things today) and this just adds to it!!

whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

2 edits

Laws Holding Data Miners Responsible

This is exactly why we need more laws to hold companies accountable in the event that consumer data gets stolen. Usually what happens is they blame it on the hacker which they should but even more so they should blame it on the company for collecting sensitive information and then failing to properly secure it.

I recently went through an event where I found a security hole with the local school district's SIS. Mainly that it was all cleartxt based and I informed the heads of the tech department downtown and our principle. It was brought up at a meeting with the previous superintendent.

The answer was until something happens nothing is going to be done. It has personal information including SSN numbers of every student. I was further told that if we go to the press we would get in trouble because we were hacking. I'm sorry but hacking what? It was all clear text. Mind you they whole system uses one password and there are no logs at all to prove anything.

This is the kind of irresponsibility that companies and organizations have regarding "digital data." Things have changed and we need a new set of laws.
techjunkie137

join:2005-01-18
Covington, IN

2 recommendations

Re: Laws Holding Data Miners Responsible

More laws are not needed. I am the Chief Operating Officer of a commercial bank and believe me the laws exist.

Before the call for new laws goes out, go to the FFIEC's web site and read the guidance provided their on what is expected of each financial institution concerning Information Security. You will find that the average consumer really has no idea what laws and regulation already exist and ALL banks have to follow the same laws and regulations concerning this issue.

Can we say "Privacy Act" anyone?

No matter how many laws exist, humans make mistakes and no system is 100% secure period. You might like to know that all of that "confidential information" you are worried about banks keeping is REQUIRED by both law and regulation! Yes your government makes us ask for it and keep it and be able to use it to identify you when you do business with your bank. If we refuse they will put us out of business.

Can we say "Patriot Act" anyone?

The issue in this case seems to be the mishandling of a backup tape, not the bank's computer system being hacked.

If it was a hacker then yes blame it on the hacker he or she broke the law, and yes the company is also at fault even if they had done everything in their power to secure the network.

The blame is first on the person that thought it was acceptable to send a valuable data tape on a commercial airline without security precautions, and yes blame it on the company and it's management for allowing it to happen, and yes blame the person that illegally took the tape.

If a Law is the magic answer then why did the person that took the data tape not stop and shudder in their tracks at the thought of breaking it? Laws are not the only answer especially when they already exits.

In the end the bank will be held accountable according to the laws and regulations that already exist concerning this issue. They will be crawling with examiners and federal agents for the next several months.
lesopp

join:2001-06-27
Land O Lakes, FL

Re: Laws Holding Data Miners Responsible

said by techjunkie137:

More laws are not needed. I am the Chief Operating Officer of a commercial bank and believe me the laws exist.

Before the call for new laws goes out, go to the FFIEC's web site and read the guidance provided their on what is expected of each financial institution concerning Information Security.
It is my understanding that BoA decided that this was not an issue that will affect their customers and decided not to take further action to protect those whose information was "misplaced". In my book BoA is the one that screwed the pooch and therefore has a conflict of interest on the matter. Only one more law is needed, one that requires an independent review to determine if the customers interests are threatened along with appropriate counter measures.

Maybe you're are part of the problem. There is a difference between "their" and "there".
techjunkie137

join:2005-01-18
Covington, IN

Re: Laws Holding Data Miners Responsible

You might want to re-read the article. Bank of America contacted the proper authorities and was told that they could not discuss the issue until the FBI and Secret Service completed their initial investigation. This issue happened in December and Bank of America was not free to discuss this issue until they obtained permission to do so.

You can make personal attacks if you like. When people run out of intelligent things to say they criticize others and and try to throw blame. That's ok. I deal with people like that every day! They are the same ones that never over draft!

I apologize for my misuse of the word "there" that you mentioned above. Even though it was an oversight in my haste to post, you might want to pass a law prohibiting it! I am sure that will stop it from happening in the future.
Maggs
Premium
join:2002-11-29
Woodside, NY
Reviews:
·RCN CABLE

Get the average

Someone should determine the average cost of ID theft, and charge companies' like Bank of America who neglect and leave open avenues for theft, that amount per person's info stolen

Lets say in this case $25,000 per..

1.2 million

Which would be about $30,000,000,000 or $30 billion.

If they got slapped with that fine, I am sure they would make it a PITA to get sensitive information.
--
Lost my mind, and can't find it. Maybe Mapquest can help.

Midak
Doctors suck
Premium
join:2002-02-26
Yonkers, NY

Re: Get the average

Actually, it is companies like Bank of America who pay for it along with their debt buyers. If you are a victim of fraud and you are willing to take the time to get a police report and sign an affidavit of fraud, you will not pay for the debt in question. I would be making a lot more money right now if we could make the consumer pay for fraudulent credit debts.

The other side of ID theft is the theft of someones banking info, allowing someone to steal what you have in the bank but this is extremely rare.
ASG9

join:2003-03-22
Big Easy

Re: Get the average

Most MC/Visa card issuers/processors anticipate a 10% loss due to fraud/theft. This amount is an industry average and is included in the charges they pass on to cardholders as annual fees or interest and to their merchant accounts.

izy
Premium,MVM
join:2000-09-21
endless loop
kudos:2
quote:
1. Victims now spend an average of 600 hours recovering from this crime, often over a period of years. Three years ago the average was 175 hours of time*, representing an increase of about 2470%.

2. Based on 600 hours times the indicated victim wages, this equals nearly $16,000 in lost potential or realized income.
»www.idtheftcenter.org/facts.shtml
--
"There's a fine line between fishing and just standing on the shore like an idiot." ~Steven Wright

koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

Unanswered questions.

As I mentioned over at CNet, I'm incredibly confused by this entire situation.

I'm mainly focused upon how exactly the media came to aquire this information. It makes zero sense for a bank or financial institution to announce such a thing publicly, as they know it'd completely destroy any reputation they have for providing decent and secure financial services...

So how exactly did all of this come to light?
--
Making life hard for others since 1977.

Rob
In Deo speramus.
Premium
join:2001-08-25
Kendall, FL
kudos:2
Reviews:
·Comcast

Re: Unanswered questions.

said by koitsu:

As I mentioned over at CNet, I'm incredibly confused by this entire situation.

I'm mainly focused upon how exactly the media came to aquire this information. It makes zero sense for a bank or financial institution to announce such a thing publicly, as they know it'd completely destroy any reputation they have for providing decent and secure financial services...

So how exactly did all of this come to light?
Information like this must be passed on to the Federal Government and the FDIC. With every organization, there are "sources" that pass the information over to the media.
--
YourIP.US - Quickly Locate Your IP!
EasyWhois.us - It's Never Been So Easy!
techjunkie137

join:2005-01-18
Covington, IN

Re: Unanswered questions.

Rob is exactly correct! If you are a state chartered bank you have to notify your state regulatory agency and the FDIC since they insure your deposits.

If a bank was to keep this quite and it was later found out, the regulators would most likely require the board to replace management and the fines would be out of sight!

A privately held business can do as they see fit and simply be willing to handle a law suit if customers find out.

Even though banks are sometimes privately owned businesses, they have a totally different set of rules they have to agree to play by as a requirement for their charter and FDIC insurance.

koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

1 edit
quote:
Information like this must be passed on to the Federal Government and the FDIC. With every organization, there are "sources" that pass the information over to the media.
So is it mandatory that banks and financial institutions do this (i.e. by law), good practise (i.e. not mandatory but in their best interests to do so), or completely optional?
--
Making life hard for others since 1977.

Rob
In Deo speramus.
Premium
join:2001-08-25
Kendall, FL
kudos:2
Reviews:
·Comcast

Re: Unanswered questions.

said by koitsu:

quote:
Information like this must be passed on to the Federal Government and the FDIC. With every organization, there are "sources" that pass the information over to the media.
So is it mandatory that banks and financial institutions do this (i.e. by law), good practise (i.e. not mandatory but in their best interests to do so), or completely optional?
I believe it's Mandatory if they are FDIC Insured. But then again, if you are dealing w/ a bank that isn't FDIC Insured, I wouldn't expect much from them anyways.
--
YourIP.US - Quickly Locate Your IP!
EasyWhois.us - It's Never Been So Easy!
techjunkie137

join:2005-01-18
Covington, IN

1 edit
Absolutely no option on this! Bank's MUST report issues like this.

It is because any issue that can jeopardize the bank (even simply reputation) may require the FDIC insurance to kick in should the bank fail as a result of the incident. That is why the bank's regulatory agencies must be contacted. That is also why the regulatory agencies will have permanent offices at the bank for several months to see that things are corrected and handled properly.

I am not aware of any bank, credit union or thrift chartered in the United States without some sort of government insurance.

The bank I work for had a foreign entity put up a spoofed web site with only one letter changed in the URL and we had to notify the State Department of Financial Institutions, FDIC, FBI and the Secret Service got involved. In the end the site was taken down and no harm came of the incident.

koitsu
Premium,MVM
join:2002-07-16
Mountain View, CA
kudos:23

Re: Unanswered questions.

Great! Thank you for the verbose explanation. I've always been curious about stuff like this, hence my inquiry...

Again, thanks
--
Making life hard for others since 1977.

insomniac
Oh Yeah
Premium
join:2002-09-22
Naperville, IL
Reviews:
·Comcast
said by techjunkie137:

I am not aware of any bank, credit union or thrift chartered in the United States without some sort of government insurance.
I can name one credit union that does not have government insurance, but is insured by a private company called ASI. Customer's bank statements say that accounts are insured by this company, but in small print underneath the logo is the phrase "This institution is not federally insured."
--
If everything seems to be going well, you've obviously overlooked something.
techjunkie137

join:2005-01-18
Covington, IN

Re: Unanswered questions.

Federal Deposit Insurance is required for Banks and S&L's. Here is an excerpt from an article on Federal Deposit Insurance written by George G. Kaufman Professor of Finance and Economics at Loyola University in Chicago:

Federal deposit insurance became law for commercial banks in 1933 as part of the Glass-Steagall Act, and for S&Ls in 1934.

The full article is here:
»www.econlib.org/library/Enc/Depo···nce.html

It does not mention credit unions. I have never worked for one and I am not as familiar on the laws and rules that govern them. Credit Union deposits are not insured by the FDIC the are insured by the National Credit Union Share Insurance Fund (NCUSIF). It is my understanding that all federally chartered Credit Unions must participate in the NCUSIF. State chartered credit unions can opt out of the NCUSIF and obtain insurance elsewhere.

The one thing I am certain of is that Credit Unions are required to adhere to the same laws and regulations as banks concerning data security. These are federal laws.

RayW
Premium
join:2001-09-01
Layton, UT
kudos:1

BoA and issues

I am one of those 'federal employees' who may be caught up in this. Can I check out if I was compromised? Not directly. The only access I have to my account is the balance due and the last payment. For all other information I must go through my card point of contact (who hates to work), something to do with preventing waste of taxpayers dollars even though on my credit report it shows as another personal credit card.

If I want to be able to check the card that I can only use for specific official business, but in all other ways has the potential to screw my credit just like any other CC, then I have to sign up for a special checking account with BoA. Riiight... I had a BoA account in the late 70's that I dumped when I graduated for a credit union account, never again if I can help it.

Of course the senators may not have that restriction, they may be their own POCs, unlike the working folk.
--
I am not lost, I find myself every time.
dflynn
Continental Op
Premium
join:2004-02-09
Chesterfield, MO

BoA: Lack of Security

Some time back I was doing some equipment installs a BOA corp office, I come upon high security door with a cyberlock, I called up to the super to get the combination, I was kind of suprised to find out it was only a single digit. I thought, Geezz, what kind of goof would put a $$$$ lock on a high security door that could be opened in 5 min by just by trying all 5 entrys on the keypad?

The door was to the Security office, go figure..

I hope they use a least 2 digits on the lock to the vault!

Vvian Kalyss

join:2003-10-14
Stage 5.0

Re: BoA: Lack of Security

Presumeably, by the time you managed to bang upon the correct # through guessing, the automated alarms and weapons systems would have taken care of you.
--
Mikami Vvian, resident Girlfriend of Steel, care of the Tokyo-3 Middle Daughters Club
dflynn
Continental Op
Premium
join:2004-02-09
Chesterfield, MO

Re: BoA: Lack of Security

Well.. Vvian provided that the power cord for the wiz-bang indusion detection system is pluged in..

the point I am trying make here is..

"That fish rot from the head down",

If the people in charge of Security (both phisical and data) don't take the effort to follow basic security procedures on their own stuff, how the hell can they sit there and tell managment and the customers with a stright face "we are protected".

Security is only as good as the weakest link, blind faith in high tech gadgets, procedures, $$$, etc. will get you zapped everytime..

LockSafe Miami

@bellsouth.net
That was not a Cyberlock ...It must have been a stupidly programned, single door access control device, using a build-in keypad. CyberLocks, are a unique "new" system that are not accessed, by push buttons.
ke4pym
Premium
join:2004-07-24
Charlotte, NC
Reviews:
·Northland Cable ..
·Time Warner Cable
·ooma
·VOIPO
·Verizon Broadban..

Who's really to blame?

Ultimately, yes, BoA is responsible for this. I'm not sure how they transport their tapes, but my company hires a third party to secure and transport our tapes to a secure location.

Does anyone have details on exactly how (or more precicely, WHO) handles their tape deliveries?
RayDogg
Raydogg

join:2000-07-16
Dayton, OH

New Cards?

My question is why they haven't started replacing the cards. Everyone who's information was stolen should have new cards in the mail by now.

Also, anyone want to place bets on if the contract is renewed after it's up.

RDins

@attbi.com

Bank of Where?

Bank of America should change their name to Bank of Asia. All their work it offshored over there anyways. Doesn't that give you a warm fuzzy feeling knowing all your information is being handled overseas? It doesn't surprise me that this happened to them, I'm just glad I don't bank with them.

Ivybridge_I7
Cyber-Crime Researcher OpSec
Premium
join:2004-06-09
Daytona Beach, FL
kudos:2

ChoicePoint Discloses Massive Identity Theft

»ChoicePoint Discloses Massive Identity Theft


Don't shoot the messenger,shoot the spammer
»www.antihotmail.com
Dslreports.com Profile: »profile.antihotmail.com
spammers_are_scumbags@antihotmail.com
Samwoo

join:2002-02-15
Rancho Palos Verdes, CA

3 edits

Who wrote the MSN article?

»www.msnbc.msn.com/id/7032779/
quote:
Trower said the company would not comment on the format of the data on the tapes -- and wouldn't say if the data was encrypted -- but she said it would be "virtually impossible" for anyone who found the tapes to access the data.
now... unless there is any other way to make physical data in-accessable... id say it was encrypted.
Edit: ohh.. i know. the tapes were in a super duper box that has an auto destruct mechanism unless the actual key is used to open it.

funny... the article hints that the tapes where plucked of an airplane... geez, they up airport security for passengers... but the baggage is as insecure as ever.

Combat Chuck
Too Many Cannibals
Premium
join:2001-11-29
Verona, PA

2 edits

More on Pluto Data Charges?

Interesting, linking 2, as of this moment, still unrelated stories and providing no explanation, or justification as to what the heck you mean. Best I can tell is the "Update" is that the postcount on yesterdays story is higher than it was when you originally posted it.

Someone who didn't check the article would think that you had linked Pluto Data with the BOA incident. Or is that how you wanted it; big evil BOA gives Pluto Data CC #'s to use. It's not a hard leap to make when you look back over the "creative" headlines that have been posted on BBR over the past couple months.
--
sprry; I kust gpt s new leubprd////////keyboard

funchords
Hello
Premium,MVM
join:2001-03-11
Yarmouth Port, MA
kudos:6

Re: More on Pluto Data Charges?

I've been following both stories. I did not see BBR's headline as an attempt to link the two -- by other than merely refer to two recent stolen data stories.
--
Robb Topolski
http://www.funchords.com/
Hillsboro, Oregon USA

plk
Premium
join:2002-04-20
united state

I wonder what data was taken

I wonder what all this data is composed of? Did it contain spending records?
If so, I wonder if it shows "some of our senators are spending more than they make". Not to mention... "on what"!
--
Thermaltake 2000a/Asus P4C-e/p4 2.8/ocz3500 2x512/WD.2x200g/ATI 9600/APC sua 1500/Logitech z-680/ Samsung 213t LCD